On Aug 12, 2020, at 12:50 PM, Paul Wouters <[email protected]> wrote: > The "obvious" part only referred to "use DNS records to authenticate > DNS authoritative servers".
That phrase over-simplified. A more accurate phrasing would be "use a chain of DNS records to authenticate DNS authoritative servers". There are many ways that the chain could break, or might not even exist. The web PKI is full of single-link trust anchors. There are many ways that trusting a single link could be dangerous as well. Some of us don't find either of those as obvious as you do. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
